Some Reflections on the Intersection of Law and Ethics in Cyber War
Dunlap, Charles J., Air & Space Power Journal
Few security issues have captured the attention of the public as has the specter of cyber war. In a recent op-ed, President Obama warns that "the cyber threat to our nation is one of the most serious economic and national security challenges we face."1 This, in turn, has raised many questions about the legal parameters of cyber operations, including the rules applicable to actual cyber war.2
Parallel to the growing interest in the legal aspects of cyber war are an increasing number of questions focused on the ethical dimension. That is an important consideration for any military endeavor but one just emerging with respect to cyber operations.3 Mounting concern about the ethical aspects of cyber activities led the US Naval Academy to sponsor an entire conference on the subject in the spring of 2012. 4 Even more recently, the Atlantic published an article entitled "Is It Possible to Wage a Just Cyberwar?," which discussed several intriguing issues.5
This article reflects upon a few issues that illustrate how legal and ethical concerns intersect in the cyber realm. Such an intersection should not be especially surprising. As historian Geoffrey Best insists, "it must never be forgotten that the law of war, wherever it began at all, began mainly as a matter of religion and ethics. . . . It began in ethics and it has kept one foot in ethics ever since."6 Understanding that relationship is vital to appreciating the full scope of the responsibilities of a cyber warrior in the twenty-first century.
Law and Ethics
How do law and ethics relate? Certainly, adherence to the law is a baseline ethical responsibility, but it is only that- a baseline. In the March 2012 edition of Armed Forces Journal, Lt Gabriel Bradley, USN, points out that "the law of armed conflict sets minimum standards." He goes on to argue persuasively that inculcating individual and institutional moral and ethical values- a sense of honor, if you will- is essential to ensuring actual compliance with the law. And he is certainly right when he quotes Christopher Coker's observation that "laws can reaffirm the warrior ethos; they cannot replace it."7
Of course, even determining the baseline- that is, the law- is not always easy in twenty-first-century operations generally but especially with regard to cyber activities. Among the many reasons for this difficulty is the fact that most of the law of armed conflict was designed to address conflicts waged mainly with kinetic weaponry. Nevertheless, in this writer's view, existing law has ready applicability to cyber operations, a notion that perhaps brings us to the first issue regarding the intersection of law, ethics, and cyber operations.8 Specifically, we sometimes hear that cyberspace is such a new domain that no existing law could- or even should- apply to military operations in it.
Such an idea is simply untrue. Most of the law of armed conflict is not domain specific. Along this line, consider a recent project by the Harvard Program on Humanitarian Policy and Conflict Research to write a manual specifically on the international law applicable to air and missile warfare.9 The program did produce a useful volume, but it is a relatively thin one since the project discovered a comparatively modest amount of law that seemed wholly unique to the air and space domains. One can say much the same about the cyber domain, including ethical considerations.10
Furthermore, what sometimes masquerades as a legal problem in cyber operations is often more of a technical issue or a policy conundrum- not an authentic legal problem. The much ballyhooed issue of what constitutes the proverbial "act of war" in the cyber domain offers a good example. Although the phrase "act of war" is a political term, not a legal axiom, such phrases as "use of force" and "armed attack" do have legal meaning and could relate to a casus belli in terms of a forceful response.11
In fact, the interpretation of such expressions in the cyber realm is resolvable under the law if- and, really, only "if- technology can provide adequate data regarding, for example, the actual harm caused by the supposed "attack," as well as sufficient information about who actually did it. …